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In this article we present a general security strategy for quantum secret sharing (QSS) protocols 
based on the HBB scheme presented by Hillery, Buzek and Berthiaume [Phys. Rev A 59, 1829 
(1999)]. We focus on a generalization of the HBB protocol to n communication parties thus including 
n-partite GHZ states. We show that the multipartite version of the HBB scheme is insecure in certain 
settings and impractical when going to large n. To provide security for such QSS schemes in general 
we use the framework presented by some of the authors [M. Huber, F. Minert, A. Gabriel, B. C. 
Hiesmayr, Phys. Rev. Lett. 104, 210501 (2010)] to detect certain genuine n partite entanglement 
between the communication parties. In particular, we present a simple inequality which tests the 
security. 
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I. INTRODUCTION 

In classical cryptography secret sharing has been in- 
troduced by Shamir [l[ and Blakley @ in 1979 and is 
useful in many applications. The main idea is to divide 
a secret into several shares and distribute these shares 
among several parties such that the secret can be recon- 
structed when a certain number of parties (or all) come 
together and combine their shares. Additionally, each 
party alone is not able to gain any information about 
the secret. The idea of secret sharing has been brought 
to Quantum Cryptography in 1999 when Hillery, Buzek 
and Berthiaume presented their scheme @ based on GHZ 
states. Since then Quantum Secret Sharing (QSS) has 
been another field of great interest besides Quantum Key 
Distribution (QKD). In the same year Karlsson, Koashi 
and Imoto also presented a similar QSS protocol based on 
Bell states [|| and several other schemes followed [HI?} . 

Most of these protocols make heavy use of entangled 
states to communicate between several parties. In gen- 
eral, the security of such protocols is rather complex to 
analyze since there are more parties involved compared to 
QKD and some of the legal participants have to be con- 
sidered dishonest. This model of adversaries from the in- 
side is in fact much stronger because such an adversary in 
general has more advantages than an eavesdropper from 
the outside. The success of the protocol depends strongly 
on the fact that all parties share a certain genuine mul- 
tipartite entangled state after transmission. We show in 
this paper that the security of a protocol can be obtained 
by checking for this certain genuine multipartite entan- 
glement. For that we use the framework presented in 
Refs. [3, [l9| which provide Bell-like inequalities which 
are experimentally testable. 

In the following section we shortly review the HBB 



scheme including the argument presented in Ref. [20| re- 
garding the security against a cheating Charlie. Further, 
we discuss the generalization of the HBB scheme to n 
qubits and present a successful eavesdropping strategy 
based on the argument in Ref. [20]. Based on the in- 
equalities we provide a new security argument for n qubit 
secret sharing protocols. 



II. THE HBB SCHEME 

In their article [3| Hillery, Buzek and Berthiaume pre- 
sented a quantum secret sharing scheme based on the 
distribution of GHZ states of the form 
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between three parties, Alice, Bob and Charlie. Each 
party measures its qubit at random in one of two bases. 
Based on their results, Bob and Charlie together are able 
to determine Alice's result but individually have no in- 
formation about it. 

In detail, Alice generates copies of the state \^>) in her 
laboratory and sends qubit B to Bob and qubit C to 
Charlie. Then, each party randomly chooses to measure 
its qubit either in the X or in the Y basis. The eigen- 
statcs of these bases arc 
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Taking the X basis the GHZ state |^) can be written as 
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messages is not implicitly preserved by the network. Al- 
ice has to tell each party when to send its result and has 
to wait on the response. In case of three parties as in the 
HBB scheme there is no big difference but it can become 
a large overhead when going to n parties. 



III. A NEW SECURITY ARGUMENT 



TABLE I: Charlie's state depending on Alice's and Bob's mea- 
surement result. 

From this fact it is easy to see that if both Alice and 
Bob perform their measurements in the X basis and 
obtain the same result, Charlie ends up with the state 
\x + ). Otherwise, if Alice and Bob obtain different re- 
sults, Charlie ends up with the state \x~). Regarding 
the case when Alice and Bob perform their measurement 
both in the Y basis or in different bases similar conditions 
can be found for Charlie's state (c.f. table [I]). 

After each party performed its measurement they all 
announce their bases for the whole sequence sent by Al- 
ice but do not reveal the specific result. Additionally, 
all three parties sacrifice some of the remaining measure- 
ment results to check for eavesdroppers and dishonest 
parties by comparing them publicly. Based on the in- 
formation about the basis choice of the remaining qubits 
Charlie always knows whether Alice and Bob have the 
same results or not, but he has no information about 
their exact results. Further, Bob knows that he either 
has the same or the opposite result of Alice and thus 
needs the information about Charlie's measurement re- 
sult to fully determine it. Thus, Bob and Charlie have to 
collaborate to obtain Alice's result. Due to the random 
choice of the measurement bases, Charlie will measure in 
the wrong basis half of the times. These cases can be 
identified when the three parties reveal their bases and 
the respective qubits have to be discarded. 

The security argument, as is described above, has been 
presented in Ref. Q but later that year Karlsson et al. 
commented on the HBB scheme that the order in which 
the measurement bases and the results for the test bits 
are revealed is crucial Q. They showed that the HBB 
scheme becomes insecure if the measurement bases are re- 
vealed before the results for the test bits. They suggested 
the following sequence: first, Bob and Charlie publicly 
disclose their measurement results for the test bits and 
afterwards, in the reversed order, they announce the cor- 
responding measurement bases. The reversed order is 
important such that none of them can gain too much in- 
formation from the actions of the previous parties. We 
want to stress that this is, nevertheless, not a very effi- 
cient way to secure the protocol since the order of the 



In three articles 0, [2l[ the authors presented a 
series of inequalities to test for genuine multipartite en- 
tanglement and for k-separability for any multipartite 
qudit system. These Bell-like inequalities are easily ex- 
perimentally implementable as only local observables are 
needed. We present here how two inequalities designed 
for the HBB protocol described above can be used to 
check for adversaries. 

The idea is that the attack strategy based on auxil- 
iary qubits as presented in Ref. Q does not work if the 
parties can verify that they share a genuinly multipartite 
entangled n-qubit state. The intervention of an untrustcd 
party, e.g. Charlie, is based on the auxiliary qubits he 
introduces into the protocol to gain additional informa- 
tion about Bob's results. Differently stated, it changes 
the overall state and this can be detected by performing 
certain additional setups and evaluating the inequalities 
given in cq. © below. 

Before we present the inequalities we need to define 
bi-separ ability: If the density operator of a 3 qubit state 
can be decomposed into the following form 

Pbisep — 

Y^PjPab ® Pc + QjPac ®Pb+Y1 r i( y> BC ® Pa > 

3 3 3 

(4) 

with pj , qj ,rj > and J2j Pj + Qj + = 1 , it is called 
biseparable. Here the two-body states p J AB , p 3 BC and 
p J AC can describe entangled states. Even though there is 
no bipartite splitting with respect to which the state p 
is separable, it is considered biseparable since it can be 
prepared through a statistical mixture of bipartite entan- 
gled states. Generalization to n-qubit states is straight- 
forward. 

Based on the bi-separ ability we can define the inequal- 
ities for the 3-qubit case of the HBB protocol. Using 
<j\ := I and the abbreviation for the Pauli operators 

(<Tj (g) ctj (g) <j k ) p := ijk (5) 

we can rewrite and linearize the inequalities derived in 
Refs. [ill, [l^| in terms of local observables: 
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11 : — (xxx — yyx — yxy — xyy) — y^r(3 ■ 111 — zzl — zlz — Izz) < 

12 '■ -^{yyy — xxy — xyx — yxx) — — (3 • 111 — zzl — zlz — Izz) < . (6) 



These inequalities are satisfied for all biseparable states, 
ft is convex, therefore it obviously valid for mixed states. 

As it is easy to see the first inequality uses combina- 
tions of local observables which are needed in the original 
HBB scheme to form the secret key (cf. table fl} whereas 
the second inequality uses combinations which are dis- 
carded in the original protocol (i.e. yyy, yxx, xyx and 
xxy). Unfortunately, the latter one can only be applied 
if the initial state is the "imaginary" GHZ state 

|$ > = -L(|000)+i|lll». (7) 

Thus, we have to adjust the original HBB protocol in 
the following way: Alice prepares at random one of two 
states, either the standard GHZ state |<3/) or the state 
|$). Then, she distributes the qubits between Bob and 
Charlie as in the original protocol. Due to the use of the 
inequalities in eq. © the Z-basis has to be introduced as 
an additional measurement basis. After Bob and Charlie 
performed their measurements they announce their bases 
and Alice tells them to reveal some of their results to 
test for the inequalities. Here, Alice tests with the first 
inequality of eq. © whenever she prepared the state 
1^/) and with the second inequality when she prepared 
|$). We want to stress that Alice does not announce 
which initial state she prepared until after the check for 
eavesdroppers. Therefore, the sequence in which Bob 
and Charlie announce their bases and results is irrelevant 
since a cheating Charlie can not be sure whether Alice 
initially prepared |\&) or |$). Hence, Charlie introduces 
a certain error and will be detected by the legitimate 
parties as it is explained in detail in the next section. 

The application of the inequalities makes it possible 
to overcome the check for the correct order of the mes- 
sages and thus makes the protocol less complex. The 
introduction of the second GHZ state |$) does not in- 
fluence the efficiency, since combinations of observables 
which are discarded in the original protocol can be used 
with the state |<£>) and vice versa. The only drawback is 
the additional measurement basis Z , which is not nec- 
essary to establish the secret but is needed to compute 
the inequalities. Fortunately, we can overcome also this 
problem by choosing Z only with a certain probability q, 
which can go to in the asymptotic limit. 

IV. SECURITY PROOF FOR 3 QUBITS 

In particular the first inequality in eq. (JSJ) is violated 
by the GHZ-state |\&) in the computational basis with the 



value i, which is the optimum for any GHZ-state repre- 
sentation. Note that there are several representations of 
the GHZ-state which would give no violation. 

The security check - optimized for the basis system the 
three parties agreed on - would therefore use some of the 
measurement results to evaluate the inequalities (similar 
to the check for adversaries suggested in 0]). Addition- 
ally, the three parties also have to perform measurements 
in the Z basis to evaluate the inequalities, which slightly 
changes the protocol, as pointed out above. If the in- 
equalities are violated, the parties can be sure that no 
adversary is present, what we prove in the following. 

In Ref. [2(| it has been shown - using a more gen- 
eral approach than in Q - that the original HBB scheme 
Q is insecure against a dishonest Charlie. The main 
idea is again that Charlie intercepts the qubit flying to 
Bob and entangles it with an ancillary qubit. Later 
on, he uses his qubit together with the ancillary qubit 
to infer Alice's measurement result without Bob's assis- 
tance. In detail, Charlie uses an ancillary qubit in the 
state \0)e and entangles it with the intercepted qubit 
B using the Hadamard operation H = 1/V2(|0)(0| + 
|0)(1| + |1)(0| - |1)(1|) on qubit B and a CNOT opera- 
tion CNOT = \Q){Q\®l+\l){l\®a x on qubits B and E. 
This brings the initial system abc ®\0)e into the 
states 

|*i) = i(|0000) + 10101) + 11010) - 11111) ) ABC E ■ (8) 

Charlie sends qubit B to Bob and waits until Alice and 
Bob announce their measurement bases. According to 
the measurement results of Alice and Bob, the qubits C 
and E in Charlie's possession collapse into some prede- 
fined state. In case both Alice and Bob measure in the 
X basis Charlie obtains one of the states 
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(9) 



Charlie uses this fact together with the information about 
Bob's measurement basis and result to determine the cor- 
rect value he has to announce to stay undetected. Fur- 
ther, Charlie is also able to compute Alice's result with- 
out any help of Bob [2(| , which makes the whole protocol 
insecure. 
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Taking our suggested modified version of the HBB 
scheme performing the check for adversaries based on 
the inequalities and employing 2 GHZ states at random 
Charlie is always detected with a certain probability. As 
pointed out, Charlie's attack mainly relies on the infor- 
mation about Bob's bases and results, which he can also 
obtain in our modified version. Nevertheless, Charlie is 
unable to decide which initial state Alice prepared such 
that he can only guess the correct result to violate the 
inequalities. 

In detail after Charlie's attack the four qubit state is 
a mixture of the two following states are mixed 

= i(|0000) + |0101) + |1010)-|llll))ABCB 

|$ 2 > = -(|0000) + |0101)+*|1010)-*|1111))abc7b. 

(10) 

Ignoring Charlies additional qubit the first inequality de- 
rives to I\ : — j — P < and the second inequality derives 



to I2 : \ — p < with p being the probability that Al- 
ice chooses the state |vt'i). These values are different to 
the expected values without cheating parties, thus Char- 
lie will be revealed. On the other hand Charlie can try 
to act by local unitaries on qubit C or by unitaries on 
qubits CE (here we used the convenient paramctrization 
of the unitary group U (4) in Rcf. [22]) such that the value 
of I\ gets more positive but the trade off is that I2 gets 
more negative, again this can be detected. In summary, 
the sugg ested attack to the HBB scheme presented in 
Ref. [20| as well as any generalization of it is detected by 
the test of the two inequalities. 



V. SECURITY PROOF FOR n QUBITS 

The inequalities provided by the framework presented 
in Refs. [HI, Ell can t> e extended to any number of qubits. 
To give an example, for the 4-qubit case described in the 
previous section we get a similar inequalities: 



— {xxxx — yyxx — yxyx — xyyx — xxyy — xyxy — yxxy + yyyy) — 

— (7 ■ 1111 — zzll — zllz — Wzz — zlzl — Izlz — Izzl — zzzz) < and 

16 v ' ~ 

-(xxxy + xxyx + xyxx + yxxx — xyyy — yxyy — yyxy — yyyx) — 
8 

-^(7 • 1111 - zzll - zllz - Wzz- z\z\ - lzlz~ \zz\ - zzzz) < (11) 
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Also in this case, the four communicating parties sacrifice 
some of their measurement results to test the inequali- 
ties. If they are satisfied they have to assume that an 
adversary is present. Extending the attack strategy from 
[HI to four parties the state Charlie uses in his attack is 
a 6-qubit entangled state. Due to his intervention, the 
genuine 4-qubit state is destroyed and thus no genuine 
4-qubit entanglement can be detected using the inequal- 
ities. Hence, the legitimate communication parties dis- 
cover Charlie's intervention and abort the protocol. 

The inequalities for n qubits can be derived straight 
forward from the 3-qubit case (eq. |6]) and the 4-qubit 
case (eq. ITT]) . Thus, the check for adversaries can be 
performed in the same way as described above. This gives 
the advantage that the communication parties no longer 
have to rely on the order of the messages. The adversary, 
Charlie, does not know which of the measurement results 
count for the test of the inequalities and which count for 
the secret. Hence, he sends measurement results which 
do not violate the inequalities and therefore he is detected 
by the other parties also in the most general case. 



VI. CONCLUSION 

In this article we presented a security argument for 
general HBB-type quantum secret sharing schemes be- 
tween n parties. The check for adversaries of such pro- 
tocols is in general getting more and more inefficient if a 
large number of parties is involved. We present a differ- 
ent security strategy based on the verification of genuine 
multipartite entanglement itself which is at the heart of 
such protocols and in addition that is efficient also for 
large number of parties. 

In a slightly different version of the HBB protocol 
we described a way to integrate this security check effi- 
ciently, i.e. by simple Bell-like inequalities (Refs. |18lll9l |) 
adapted to the protocol. They use the data which is usu- 
ally not regarded for the protocol and a measurement in 
a third direction has to be introduced. 

A test of these inequalities is a much stronger state- 
ment than the common test for eavesdroppers presented 
e.g. in Refs [!, 0) as they indicate the presence of an 
adversary because any adversary has to change the n- 
partite entangled state in order to obtain any information 
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on the secrete. 

Certainly, our presented general scheme may be ap- 
plied to secret sharing protocols involving multi-qudit 
systems or graph states. 
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